devise_token_auth_multi_email 0.9.0

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+
+# see http://www.emilsoman.com/blog/2013/05/18/building-a-tested/
+module DeviseTokenAuth
+  class SessionsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, only: [:destroy]
+    after_action :reset_session, only: [:destroy]
+
+    def new
+      render_new_error
+    end
+
+    def create
+      if field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
+        q_value = get_case_insensitive_field_from_resource_params(field)
+
+        @resource = find_resource(field, q_value)
+      end
+
+      if @resource && valid_params?(field, q_value) && (!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+        valid_password = @resource.valid_password?(resource_params[:password])
+        if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
+          return render_create_error_bad_credentials
+        end
+
+        create_and_assign_token
+
+        sign_in(@resource, scope: :user, store: false, bypass: false)
+
+        yield @resource if block_given?
+
+        render_create_success
+      elsif @resource && !Devise.paranoid && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+        if @resource.respond_to?(:locked_at) && @resource.locked_at
+          render_create_error_account_locked
+        else
+          render_create_error_not_confirmed
+        end
+      else
+        hash_password_in_paranoid_mode
+        render_create_error_bad_credentials
+      end
+    end
+
+    def destroy
+      # remove auth instance variables so that after_action does not run
+      user = remove_instance_variable(:@resource) if @resource
+      client = @token.client
+      @token.clear!
+
+      if user && client && user.tokens[client]
+        user.tokens.delete(client)
+        user.save!
+
+        if DeviseTokenAuth.cookie_enabled
+          # If a cookie is set with a domain specified then it must be deleted with that domain specified
+          # See https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
+          cookies.delete(DeviseTokenAuth.cookie_name, domain: DeviseTokenAuth.cookie_attributes[:domain])
+        end
+
+        yield user if block_given?
+
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+
+    protected
+
+    def valid_params?(key, val)
+      resource_params[:password] && key && val
+    end
+
+    def get_auth_params
+      auth_key = nil
+      auth_val = nil
+      # iterate thru allowed auth keys, use first found
+      resource_class.authentication_keys.each do |k|
+        if resource_params[k]
+          auth_val = resource_params[k]
+          auth_key = k
+          break
+        end
+      end
+
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(auth_key)
+        auth_val.downcase!
+      end
+
+      { key: auth_key, val: auth_val }
+    end
+
+    def render_new_error
+      render_error(405, I18n.t('devise_token_auth.sessions.not_supported'))
+    end
+
+    def render_create_success
+      render json: {
+        data: resource_data(resource_json: @resource.token_validation_response)
+      }
+    end
+
+    def render_create_error_not_confirmed
+      render_error(401, I18n.t('devise_token_auth.sessions.not_confirmed', email: @resource.email))
+    end
+
+    def render_create_error_account_locked
+      render_error(401, I18n.t('devise.mailer.unlock_instructions.account_lock_msg'))
+    end
+
+    def render_create_error_bad_credentials
+      render_error(401, I18n.t('devise_token_auth.sessions.bad_credentials'))
+    end
+
+    def render_destroy_success
+      render json: {
+        success:true
+      }, status: 200
+    end
+
+    def render_destroy_error
+      render_error(404, I18n.t('devise_token_auth.sessions.user_not_found'))
+    end
+
+    private
+
+    def resource_params
+      params.permit(*params_for_resource(:sign_in))
+    end
+
+    def create_and_assign_token
+      if @resource.respond_to?(:with_lock) && !@resource.changed?
+        @resource.with_lock do
+          @token = @resource.create_token
+          @resource.save!
+        end
+      else
+        @token = @resource.create_token
+        @resource.save!
+      end
+    end
+
+    def hash_password_in_paranoid_mode
+      # In order to avoid timing attacks in paranoid mode, we want the password hash to be
+      # calculated even if no resource has been found. Devise's DatabaseAuthenticatable warden
+      # strategy handles this case similarly:
+      # https://github.com/heartcombo/devise/blob/main/lib/devise/strategies/database_authenticatable.rb
+      resource_class.new.password = resource_params[:password] if Devise.paranoid
+    end
+  end
+end

data/app/controllers/devise_token_auth/token_validations_controller.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class TokenValidationsController < DeviseTokenAuth::ApplicationController
+    skip_before_action :assert_is_devise_resource!, only: [:validate_token]
+    before_action :set_user_by_token, only: [:validate_token]
+
+    def validate_token
+      # @resource will have been set by set_user_by_token concern
+      if @resource
+        yield @resource if block_given?
+        render_validate_token_success
+      else
+        render_validate_token_error
+      end
+    end
+
+    protected
+
+    def render_validate_token_success
+      render json: {
+        success: true,
+        data: resource_data(resource_json: @resource.token_validation_response)
+      }
+    end
+
+    def render_validate_token_error
+      render_error(401, I18n.t('devise_token_auth.token_validations.invalid'))
+    end
+  end
+end

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class UnlocksController < DeviseTokenAuth::ApplicationController
+    skip_after_action :update_auth_header, only: [:create, :show]
+
+    # this action is responsible for generating unlock tokens and
+    # sending emails
+    def create
+      return render_create_error_missing_email unless resource_params[:email]
+
+      @email = get_case_insensitive_field_from_resource_params(:email)
+      @resource = find_resource(:email, @email)
+
+      if @resource
+        yield @resource if block_given?
+
+        @resource.send_unlock_instructions(
+          email: @email,
+          provider: 'email',
+          client_config: params[:config_name]
+        )
+
+        if @resource.errors.empty?
+          return render_create_success
+        else
+          render_create_error @resource.errors
+        end
+      else
+        render_not_found_error
+      end
+    end
+
+    def show
+      @resource = resource_class.unlock_access_by_token(params[:unlock_token])
+
+      if @resource.persisted?
+        token = @resource.create_token
+        @resource.save!
+        yield @resource if block_given?
+
+        redirect_header_options = { unlock: true }
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
+                                                  redirect_header_options)
+        redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
+                                             redirect_headers),
+                                             redirect_options)
+      else
+        render_show_error
+      end
+    end
+
+    private
+    def after_unlock_path_for(resource)
+      #TODO: This should probably be a configuration option at the very least.
+      '/'
+    end
+
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_token_auth.unlocks.missing_email'))
+    end
+
+    def render_create_success
+      render json: {
+        success: true,
+        message: success_message('unlocks', @email)
+      }
+    end
+
+    def render_create_error(errors)
+      render json: {
+        success: false,
+        errors: errors
+      }, status: 400
+    end
+
+    def render_show_error
+      raise ActionController::RoutingError, 'Not Found'
+    end
+
+    def render_not_found_error
+      if Devise.paranoid
+        render_create_success
+      else
+        render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
+      end
+    end
+
+    def resource_params
+      params.permit(:email, :unlock_token, :config)
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/active_record_support.rb

@@ -0,0 +1,18 @@
+module DeviseTokenAuth::Concerns::ActiveRecordSupport
+  extend ActiveSupport::Concern
+
+  included do
+    if Rails.gem_version >= Gem::Version.new("7.1.0.a")
+      serialize :tokens, coder: DeviseTokenAuth::Concerns::TokensSerialization
+    else
+      serialize :tokens, DeviseTokenAuth::Concerns::TokensSerialization
+    end
+  end
+
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/confirmable_support.rb

@@ -0,0 +1,28 @@
+module DeviseTokenAuth::Concerns::ConfirmableSupport
+  extend ActiveSupport::Concern
+
+  included do
+    # Override standard devise `postpone_email_change?` method
+    # for not to use `devise_will_save_change_to_email?` methods.
+    def postpone_email_change?
+      postpone = self.class.reconfirmable &&
+        email_value_in_database != email &&
+        !@bypass_confirmation_postpone &&
+        self.email.present? &&
+        (!@skip_reconfirmation_in_callback || !email_value_in_database.nil?)
+      @bypass_confirmation_postpone = false
+      postpone
+    end
+  end
+
+  protected
+
+  def email_value_in_database
+    rails51 = Rails.gem_version >= Gem::Version.new("5.1.x")
+    if rails51 && respond_to?(:email_in_database)
+      email_in_database
+    else
+      email_was
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/mongoid_support.rb

@@ -0,0 +1,19 @@
+module DeviseTokenAuth::Concerns::MongoidSupport
+  extend ActiveSupport::Concern
+
+  def as_json(options = {})
+    options[:except] = (options[:except] || []) + [:_id]
+    hash = super(options)
+    hash['id'] = to_param
+    hash
+  end
+
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    rescue Mongoid::Errors::DocumentNotFound
+      nil
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/tokens_serialization.rb

@@ -0,0 +1,31 @@
+module DeviseTokenAuth::Concerns::TokensSerialization
+  extend self
+  # Serialization hash to json
+  def dump(object)
+    JSON.generate(object && object.transform_values do |token|
+      serialize_updated_at(token).compact
+    end.compact)
+  end
+
+  # Deserialization json to hash
+  def load(json)
+    case json
+    when String
+      JSON.parse(json)
+    when NilClass
+      {}
+    else
+      json
+    end
+  end
+
+  private
+
+  def serialize_updated_at(token)
+    updated_at_key = ['updated_at', :updated_at].find(&token.method(:[]))
+
+    return token unless token[updated_at_key].respond_to?(:iso8601)
+
+    token.merge updated_at_key => token[updated_at_key].iso8601
+  end
+end

data/app/models/devise_token_auth/concerns/user.rb

@@ -0,0 +1,282 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth::Concerns::User
+  extend ActiveSupport::Concern
+
+  def self.tokens_match?(token_hash, token)
+    @token_equality_cache ||= {}
+
+    key = "#{token_hash}/#{token}"
+    result = @token_equality_cache[key] ||= DeviseTokenAuth::TokenFactory.token_hash_is_token?(token_hash, token)
+    @token_equality_cache = {} if @token_equality_cache.size > 10000
+    result
+  end
+
+  included do
+    # Hack to check if devise is already enabled
+    if method_defined?(:devise_modules)
+      devise_modules.delete(:omniauthable)
+    else
+      devise :database_authenticatable, :registerable,
+             :recoverable, :validatable, :confirmable
+    end
+
+    if const_defined?('ActiveRecord') && ancestors.include?(ActiveRecord::Base)
+      include DeviseTokenAuth::Concerns::ActiveRecordSupport
+    end
+
+    if const_defined?('Mongoid') && ancestors.include?(Mongoid::Document)
+      include DeviseTokenAuth::Concerns::MongoidSupport
+    end
+
+    if DeviseTokenAuth.default_callbacks
+      include DeviseTokenAuth::Concerns::UserOmniauthCallbacks
+    end
+
+    # get rid of dead tokens
+    before_save :destroy_expired_tokens
+
+    # remove old tokens if password has changed
+    before_save :remove_tokens_after_password_reset
+
+    # don't use default devise email validation
+    def email_required?; false; end
+    def devise_will_save_change_to_email?; false; end
+
+    if DeviseTokenAuth.send_confirmation_email && devise_modules.include?(:confirmable)
+      include DeviseTokenAuth::Concerns::ConfirmableSupport
+    end
+
+    def password_required?
+      return false unless provider == 'email'
+      super
+    end
+
+    # override devise method to include additional info as opts hash
+    def send_confirmation_instructions(opts = {})
+      generate_confirmation_token! unless @raw_confirmation_token
+
+      # fall back to "default" config name
+      opts[:client_config] ||= 'default'
+      opts[:to] = unconfirmed_email if pending_reconfirmation?
+      opts[:redirect_url] ||= DeviseTokenAuth.default_confirm_success_url
+
+      send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts)
+    end
+
+    # override devise method to include additional info as opts hash
+    def send_reset_password_instructions(opts = {})
+      token = set_reset_password_token
+
+      # fall back to "default" config name
+      opts[:client_config] ||= 'default'
+
+      send_devise_notification(:reset_password_instructions, token, opts)
+      token
+    end
+
+    # override devise method to include additional info as opts hash
+    def send_unlock_instructions(opts = {})
+      raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
+      self.unlock_token = enc
+      save(validate: false)
+
+      # fall back to "default" config name
+      opts[:client_config] ||= 'default'
+
+      send_devise_notification(:unlock_instructions, raw, opts)
+      raw
+    end
+
+    def create_token(client: nil, lifespan: nil, cost: nil, **token_extras)
+      token = DeviseTokenAuth::TokenFactory.create(client: client, lifespan: lifespan, cost: cost)
+
+      tokens[token.client] = {
+        token:  token.token_hash,
+        expiry: token.expiry
+      }.merge!(token_extras)
+
+      clean_old_tokens
+
+      token
+    end
+  end
+
+  def valid_token?(token, client = 'default')
+    return false unless tokens[client]
+    return true if token_is_current?(token, client)
+    return true if token_can_be_reused?(token, client)
+
+    # return false if none of the above conditions are met
+    false
+  end
+
+  # this must be done from the controller so that additional params
+  # can be passed on from the client
+  def send_confirmation_notification?; false; end
+
+  def token_is_current?(token, client)
+    # ghetto HashWithIndifferentAccess
+    expiry     = tokens[client]['expiry'] || tokens[client][:expiry]
+    token_hash = tokens[client]['token'] || tokens[client][:token]
+    previous_token_hash = tokens[client]['previous_token'] || tokens[client][:previous_token]
+
+    return true if (
+      # ensure that expiry and token are set
+      expiry && token &&
+
+      # ensure that the token has not yet expired
+      DateTime.strptime(expiry.to_s, '%s') > Time.zone.now &&
+
+      # ensure that the token is valid
+      (
+        # check if the latest token matches
+        does_token_match?(token_hash, token) ||
+
+        # check if the previous token matches
+        does_token_match?(previous_token_hash, token)
+      )
+    )
+  end
+
+  # check if the hash of received token matches the stored token
+  def does_token_match?(token_hash, token)
+    return false if token_hash.nil?
+
+    DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token)
+  end
+
+  # allow batch requests to use the last token
+  def token_can_be_reused?(token, client)
+    # ghetto HashWithIndifferentAccess
+    updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
+    last_token_hash = tokens[client]['last_token'] || tokens[client][:last_token]
+
+    return true if (
+      # ensure that the last token and its creation time exist
+      updated_at && last_token_hash &&
+
+      # ensure that last token falls within the batch buffer throttle time of the last request
+      updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
+
+      # ensure that the token is valid
+      DeviseTokenAuth::TokenFactory.token_hash_is_token?(last_token_hash, token)
+    )
+  end
+
+  # update user's auth token (should happen on each request)
+  def create_new_auth_token(client = nil)
+    now = Time.zone.now
+
+    token = create_token(
+      client: client,
+      previous_token: tokens.fetch(client, {})['token'],
+      last_token: tokens.fetch(client, {})['previous_token'],
+      updated_at: now
+    )
+
+    update_auth_headers(token.token, token.client)
+  end
+
+  def build_auth_headers(token, client = 'default')
+    # client may use expiry to prevent validation request if expired
+    # must be cast as string or headers will break
+    expiry = tokens[client]['expiry'] || tokens[client][:expiry]
+    headers = {
+      DeviseTokenAuth.headers_names[:"access-token"] => token,
+      DeviseTokenAuth.headers_names[:"token-type"]   => 'Bearer',
+      DeviseTokenAuth.headers_names[:"client"]       => client,
+      DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
+      DeviseTokenAuth.headers_names[:"uid"]          => uid
+    }
+    headers.merge(build_bearer_token(headers))
+  end
+
+  def build_bearer_token(auth)
+    return {} if DeviseTokenAuth.cookie_enabled # There is no need for the bearer token if it is using cookies
+
+    encoded_token = Base64.strict_encode64(auth.to_json)
+    bearer_token = "Bearer #{encoded_token}"
+    { DeviseTokenAuth.headers_names[:"authorization"] => bearer_token }
+  end
+
+  def update_auth_headers(token, client = 'default')
+    headers = build_auth_headers(token, client)
+    clean_old_tokens
+    save!
+
+    headers
+  end
+
+  def build_auth_url(base_url, args)
+    args[:uid]    = uid
+    args[:expiry] = tokens[args[:client_id]]['expiry']
+
+    DeviseTokenAuth::Url.generate(base_url, args)
+  end
+
+  def extend_batch_buffer(token, client)
+    tokens[client]['updated_at'] = Time.zone.now
+    update_auth_headers(token, client)
+  end
+
+  def confirmed?
+    devise_modules.exclude?(:confirmable) || super
+  end
+
+  def token_validation_response
+    as_json(except: %i[tokens created_at updated_at])
+  end
+
+  protected
+
+  def destroy_expired_tokens
+    if tokens
+      tokens.delete_if do |cid, v|
+        expiry = v[:expiry] || v['expiry']
+        DateTime.strptime(expiry.to_s, '%s') < Time.zone.now
+      end
+    end
+  end
+
+  def should_remove_tokens_after_password_reset?
+    DeviseTokenAuth.remove_tokens_after_password_reset &&
+      (respond_to?(:encrypted_password_changed?) && encrypted_password_changed?)
+  end
+
+  def remove_tokens_after_password_reset
+    return unless should_remove_tokens_after_password_reset?
+
+    if tokens.present? && tokens.many?
+      client, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
+      self.tokens = { client => token_data }
+    end
+  end
+
+  def max_client_tokens_exceeded?
+    tokens.length > DeviseTokenAuth.max_number_of_devices
+  end
+
+  def clean_old_tokens
+    return if tokens.blank? || !max_client_tokens_exceeded?
+
+    # First, remove any tokens with expiry greater than current max allowed lifespan
+    #   this handles the case where token lifespan was reduced and old tokens exist
+    max_lifespan_expiry = Time.now.to_i + DeviseTokenAuth.token_lifespan.to_i
+    tokens_to_keep = tokens.select do |_cid, v|
+      expiry = (v[:expiry] || v['expiry']).to_i
+      expiry <= max_lifespan_expiry
+    end
+
+    # Using Enumerable#sort_by on a Hash will typecast it into an associative
+    #   Array (i.e. an Array of key-value Array pairs). However, since Hashes
+    #   have an internal order in Ruby 1.9+, the resulting sorted associative
+    #   Array can be converted back into a Hash, while maintaining the sorted
+    #   order.
+    self.tokens = tokens_to_keep.sort_by { |_cid, v| v[:expiry] || v['expiry'] }.to_h
+
+    # Since the tokens are sorted by expiry, shift the oldest client token
+    #   off the Hash until it no longer exceeds the maximum number of clients
+    tokens.shift while max_client_tokens_exceeded?
+  end
+end

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
+  extend ActiveSupport::Concern
+
+  included do
+    validates :email, presence: true, if: lambda { uid_and_provider_defined? && email_provider? }
+    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: lambda { uid_and_provider_defined? && email_provider? }
+    validates_presence_of :uid, if: lambda { uid_and_provider_defined? && !email_provider? }
+
+    # Provide support for devise-multi_email - they implement case_sensitive
+    # and maintain uniqueness themselves.
+    unless Gem.loaded_specs[ 'devise-multi_email' ]
+      # only validate unique emails among email registration users
+      validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: lambda { uid_and_provider_defined? && email_provider? }
+    end
+
+    # keep uid in sync with email
+    before_save :sync_uid
+    before_create :sync_uid
+  end
+
+  protected
+
+  def uid_and_provider_defined?
+    defined?(provider) && defined?(uid)
+  end
+
+  def email_provider?
+    provider == 'email'
+  end
+
+  def sync_uid
+    unless self.new_record?
+      return if devise_modules.include?(:confirmable) && !@bypass_confirmation_postpone && postpone_email_change?
+    end
+    self.uid = email if uid_and_provider_defined? && email_provider?
+  end
+end